Pulling Linux Rabbit/Rabbot Malware Out of a Hat

December 6, 2018 | Anomali Labs

Overview

Cyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit,” that targeted Linux servers and Internet-of-Things (IoT) devices in a campaign that began in August 2018 and continued until October 2018. The campaign targeted devices in Russia, South Korea, the UK, and the US. The campaign utilizes two strains of malware that share the same code base called Linux Rabbit and “Rabbot”. The goal of this campaign is to install cryptocurrency miners onto the targeted servers and devices. The type of Monero cryptominer installed is dependent upon what the machine’s architecture is. The threat bulletins associated with this blog post will thoroughly examine the general campaign and the individual malware processes for both Linux Rabbit and Rabbot.

This campaign was conducted by unknown threat actors and it is currently unclear what the initial infection vector is. The first campaign began in August 2018 and was utilizing the Linux Rabbit malware to infect Linux systems. The Linux Rabbit malware only targeted Linux servers that were located in specific countries: Russia, South Korea, the UK, and the US. This malware has four main functionalities which are:

Establish a connection to the Command and Control (C2) server using Tor gateways

Setup persistence

SSH brute force

Install the cryptocurrency miner

Additional information discussing the campaign such as infrastructure data and downloaded files can be viewed by ThreatStream users here.

For Linux Rabbit to establish a connection with the C2 server, it utilizes Tor hidden services to act as contact points to access a Tor gateway. The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter.

The malware’s second functionality is to gain persistence on an infected machine. This is completed through “rc.local” files and “.bashrc” files. After obtaining persistence, the next functionality of Linux Rabbit is to brute force SSH passwords which ultimately allows the malware to install the cryptocurrency miner onto the server. The SSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see where it is located. If the IP is located within a country that is “blacklisted,” it will stop and move on until it finds an IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the US. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port 22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the machine’s hostname. Interestingly, this malware will also check the Top-Level Domain (TLD) of a host, and will skip any TLD that is blacklisted. Many of the blacklisted TLDs are government-related sites in a variety of countries. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of hard-coded credentials it has. The first two authentication certifications are to ensure that the malware is not in a “honey pot”. This is likely to avoid static analysis of the malware.

After all this, if the malware successfully discovers a viable target and is able to gain access through SSH credential brute forcing, the malware will be able to begin installation of the cryptocurrency miner. Linux Rabbit attempts to install both “CNRig” and “CoinHive” Monero miners onto the machine, but only one will actually successfully install depending on what type of architecture the machine is. If the machine is a x86-bit, it will install CNRig Monero miner and if the machine is an ARM/MISP, it will install CoinHive. If the infected machine is a web server, the malware will inject CoinHive script tags into every HTML file, so that even visitors of the site/server are also infected with the cryptocurrency miner. Linux Rabbit is able to connect to GitHub and receive updates from the threat actors. It also has a killswitch built-in. It is able to detect other miners already on a target machine and delete them from the machine during the installation of its own miner.

A technical breakdown of Linux Rabbit can be viewed by ThreatStream users here.

Following the Linux Rabbit campaign that occurred in August 2018, a new campaign followed it from September 2018 until October 2018 that utilized a different malware strain to infect machines. This new campaign used a self-propagating worm called “Rabbot” that shared the same code base with Linux Rabbit. However, Rabbot is not limited to infecting just Linux servers like Linux Rabbit because it can also target and infect Internet-of-Things (IoT) devices via known vulnerabilities. Most crucially, it is not restricted to only attacking devices in specific geolocations. The known vulnerabilities that Rabbot is capable of exploiting include the following:

A technical breakdown of Rabbot can be viewed by ThreatStream users here.

Both malware strains share the same code base which means they function almost exactly the same, except Rabbot will send all its payloads through an open port 80 to the Linux (web)servers, not checking to ensure that the process is successful. Since the malware will install different payloads depending on the architecture of the machine, it, in theory, does not need to check what was successfully installed or not, since one of the two cryptominers is guaranteed to run. Rabbot will also install CoinHive miners into various web pages via the infected web server by searching for “.HTML” files and inserting JavaScript files into the browser.